Preventing URL Invocation

Sometimes, you may have code that should never be invoked by navigating to a particular URL. For those situations, Trongate v2 offers the block_url() function.

With block_url(), you explicitly declare which module (or module/method combination) should be blocked from URL access, and the framework enforces it.

How The block_url() Helper Function Works

The block_url() helper function accepts a string that identifies the module or module-method pair you wish to protect.

The function accepts one argument - a string that represents one of the following:

'module' - blocks all methods in the module from URL access
'module/method' - blocks only that method from URL access

The helper compares the supplied $block_path against the current URL segments and returns a 403 Forbidden response when a match is detected.

Blocking a Single Method

To block browser access to a specific method, call block_url() at the top of the method body and pass the module-method combination via $block_path:

The result:

/reports/dashboard → ✓ Works
/reports/generate_pdf → ✗ Returns 403 Forbidden
$this->reports->generate_pdf() → ✓ Works from code

The method remains public and callable from other modules. Only direct URL invocation is blocked.

How It Works

When a request is made, block_url() inspects the supplied $block_path and compares it with the current URL segments.

In the above example, if a visitor attempts to access:

/reports/generate_pdf
The framework routes to Reports::generate_pdf()
block_url('reports/generate_pdf') executes
Segment 1 equals reports and segment 2 equals generate_pdf
A 403 Forbidden response is returned and execution stops

However, when the same method is called from code:

Code executes $this->reports->generate_pdf()
The current URL reflects whatever page the user is actually visiting
The segment comparison does not match
Execution continues normally

Blocking an Entire Module

Some modules should never be accessed via a browser. Examples include payment processors, email handlers, background services, and internal utility modules.

To block all methods in a module, pass only the module name to block_url() via $block_path. The most appropriate place to do this is inside the constructor.

The result:

/payment/process_charge → ✗ Returns 403 Forbidden
/payment/refund → ✗ Returns 403 Forbidden
$this->payment->process_charge(100) → ✓ Works from code
$this->payment->refund('txn_123') → ✓ Works from code

The constructor code, used in the example above, will work in most cases. However, there are edge cases where different syntax would be required for invoking a constructor. For a full explanation, see Mastering Constructors.

Form Validation Callbacks

Validation callbacks should always be protected to prevent direct browser access.

Use block_url() inside the callback and pass the appropriate module-method target via $block_path:

This ensures the callback can only be executed by the validation engine and can never be triggered by visiting /members/username_check directly in a browser.

Do not use block_url() on module paths that appear in your custom routing configuration.

Keep it simple! Mixing URL blocking with custom routing creates unnecessary complexity and hard-to-debug behaviour.

Use block_url('module/method') when:

A specific method should never be invoked directly via a browser
Writing validation callbacks
Creating helper methods used internally by other code

Use block_url('module') when:

No methods in the module should be URL-accessible
The module exists purely as a utility
You want clear, explicit, blanket protection

Attention v1 Veterans

Trongate v1 prevented URL invocation by usage of an "underscore-first" method naming convention.

Trongate v2 removed this approach. To learn why, check out this essay:

Why The Underscore-First Trick Had To Go.